Like many companies competing in the age of digitization, Aflac, Inc. is undergoing a transformation to modernize...
our IT delivery platforms and methods. The goal is to facilitate higher quality products and services to better serve our policyholders, help build value for our shareholders and supply superior services for our agents. It is incumbent upon IT and information security to support the execution of this mission using proven processes and cutting-edge technology.
There are regulatory obstacles to meeting these goals, because the company has access to customers' private financial, health and credit card data. We need to meet the demands of a range of regulations, including the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act and PCI-DSS. To ensure compliance with these regulatory frameworks, we must protect the confidentiality, integrity, availability and accountability of Aflac's company and client information. By automating our information security and technology governance program, it helps our ability to maintain regulatory compliance while still achieving our business objectives.
Governance, risk and compliance (GRC) automation is successful only with the right foundation in place: The right team must be chosen that can analyze risk and compliance processes, and then map these processes into business objectives. The following are five critical steps to GRC automation.
1. Start with one use case and expand: Aflac targeted IT risk management first, because we determined that the risk assessment process was in need of improvement and could benefit from automation. We are rebuilding our risk mitigation processes, including the development of an asset repository. Once our team assesses the risk stemming from our vendors, applications and systems, then we will dedicate a group of people to the next phase of automation. Regardless of where an organization starts, each GRC automation phase doesn't have to be 100% complete in order to proceed. It's more important to get the foundation built and governance modules in place. Then, the company can expand into other areas.
2. Create an enterprise framework as a foundation: The National Institute of Standards and Technology (NIST), ISO and COBIT all offer great regulatory frameworks with which to start. Aflac is using a hybrid NIST/COBIT model. We found a hybrid model to be the best fit for us because of our significant compliance needs. For example, after building our asset management capabilities, we then match those with Federal Financial Institutions Examination Council criteria, and through that streamline compliance across other standards and regulations. These include bank requirements such as GLBA, or payment card requirements such as PCI.
3. Evaluate GRC automation tools: After taking stock of the team, processes and tools available to support GRC, we started looking for ways to automate and centralize risk management activities. We looked at several GRC vendors and evaluated each based on the following requirements:
- The ability to implement GRC automation rapidly, but with minimal impact on company processes during implementation. We also wanted a product with proven scalability so it could adapt to changing compliance regulations.
- The vendor's previous experience with GRC automation and enterprise risk management capabilities. Also, the vendor's past record with implementing GLBA, HIPAA and PCI security compliance processes.
- The details of the partnership, including affordable pricing and how technical support will respond to any problems.
The GRC vendor we selected meets the above requirements and works with us to ensure alignment with Aflac's business goals and strategies.
4. Map risk and compliance goals into business metrics: Technology compliance generates its own form of risk. We need enough transparency and flexibility to ensure that we achieve technology compliance at a reasonable cost to the business. We can then focus on defining risk thresholds and driving risk down to acceptable levels. This process includes:
- Completing a risk assessment
- Creating a risk register to outline key risks
- Measuring the inherent risk in terms of probability and impact
- Listing mitigating controls and determining residual risk
We also have to be transparent with our priorities. We might have a process that is considered high risk but a mitigating control brings it down to a low level. What might seem low risk, however, might not have any controls at all and therefore becomes a high risk. We must know where to address our attention. Automation allows us to mature this process in a more systemic way, because it is impossible to effectively align these risks and controls when using a manual process.
5. Design flexibility into the process: This allows us to absorb known and new risk. The GRC concept continues to mature as factors that shape a company's programs change. New risks are revealed, the regulatory environment creates new pressures and new technology enters the workspace. A GRC program must have flexibility to adjust to the many changes, such as threats from organized crime, state-sponsored cyberattacks and new variants on old threats. Flexibility helps build resiliency and enables us to maintain structural integrity while addressing emerging threats.
The next step is to incorporate and align Aflac's other business-critical processes with our GRC program. This includes aligning governance and policy objectives with the tactical requirements of day-to-day risk identification and reduction.
When it comes to GRC automation, I've seen CISOs who implement a tool and get frustrated because it's not 100% complete from day one. It is important to understand that you must start somewhere. You might not be firing on all cylinders to start, but you can learn new information and adjust, then learn and adjust again. The key is to keep going and accept that GRC automation is going to be a long journey.
About the author
Tim Callahan, CISSP, CISM, CRISC, is vice president and chief information security officer at Aflac, Inc. In this role, Tim is responsible for the Aflac Information Security Program, which includes threat and vulnerability management, security operations and incident response, information technology compliance and risk management, security engineering, and disaster recovery.